d675f81960e27a32b69e02cae2dd6c58327c5378bce4a9e6142630d7fffdb051

General

Target

36b3356906581a9501b10b8f2cb1414e_JaffaCakes118.exe
Size

647KB
MD5

36b3356906581a9501b10b8f2cb1414e
SHA1

f0dea476f2fa001a364590635de5cf6691489f5e
SHA256

d675f81960e27a32b69e02cae2dd6c58327c5378bce4a9e6142630d7fffdb051
SHA512

4a4f3c511aaed6b65bd4edefda540ef791ce11fe8a7acd8dc6eee18c6cb16de9fadc5c0417434da29ceb9fb328075b3b6167cf6336c96cbfcfb97686a6d2f61d
SSDEEP

12288:twZ+r2ML1m+WEB3b6zZwlAAG72vDj6knSFcYTnKuVPYlFdRAT:tg+rdL2EB3uz6A172v6kndeKOPYluT

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1620	install.exe
2900	win32spl.exe

Loads dropped DLL 13 IoCs

pid	Process
2304	36b3356906581a9501b10b8f2cb1414e_JaffaCakes118.exe
1620	install.exe
1620	install.exe
1620	install.exe
1620	install.exe
1620	install.exe
1620	install.exe
1620	install.exe
1620	install.exe
2900	win32spl.exe
2900	win32spl.exe
2900	win32spl.exe
3020	regsvr32.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\36b3356906581a9501b10b8f2cb1414e_JaffaCakes118.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\36b3356906581a9501b10b8f2cb1414e_JaffaCakes118.exe /k"	36b3356906581a9501b10b8f2cb1414e_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\36b3356906581a9501b10b8f2cb1414e_JaffaCakes118.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\36b3356906581a9501b10b8f2cb1414e_JaffaCakes118.exe /k"	36b3356906581a9501b10b8f2cb1414e_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\win32spl = "C:\\Windows\\SysWOW64\\win32spl.exe"	win32spl.exe

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{868AFD45-13E7-40ED-A67C-1234DC11FF62}	regsvr32.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\q6k.sys	36b3356906581a9501b10b8f2cb1414e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\install.exe	36b3356906581a9501b10b8f2cb1414e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\win32spl.exe	install.exe
File opened for modification	C:\Windows\SysWOW64\d8h5.dll	36b3356906581a9501b10b8f2cb1414e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\q6k.sys	36b3356906581a9501b10b8f2cb1414e_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\q6k.sys	36b3356906581a9501b10b8f2cb1414e_JaffaCakes118.exe
File opened for modification	C:\Windows\q6k.sys	36b3356906581a9501b10b8f2cb1414e_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	36b3356906581a9501b10b8f2cb1414e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	win32spl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{868AFD45-13E7-40ED-A67C-1234DC11FF62}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{868AFD45-13E7-40ED-A67C-1234DC11FF62}\InprocServer32\ = "C:\\Windows\\SysWow64\\d8h5.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{868AFD45-13E7-40ED-A67C-1234DC11FF62}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{868AFD45-13E7-40ED-A67C-1234DC11FF62}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{868AFD45-13E7-40ED-A67C-1234DC11FF62}\	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2304	36b3356906581a9501b10b8f2cb1414e_JaffaCakes118.exe
2304	36b3356906581a9501b10b8f2cb1414e_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 1620	2304	36b3356906581a9501b10b8f2cb1414e_JaffaCakes118.exe	31
PID 2304 wrote to memory of 1620	2304	36b3356906581a9501b10b8f2cb1414e_JaffaCakes118.exe	31
PID 2304 wrote to memory of 1620	2304	36b3356906581a9501b10b8f2cb1414e_JaffaCakes118.exe	31
PID 2304 wrote to memory of 1620	2304	36b3356906581a9501b10b8f2cb1414e_JaffaCakes118.exe	31
PID 2304 wrote to memory of 1620	2304	36b3356906581a9501b10b8f2cb1414e_JaffaCakes118.exe	31
PID 2304 wrote to memory of 1620	2304	36b3356906581a9501b10b8f2cb1414e_JaffaCakes118.exe	31
PID 2304 wrote to memory of 1620	2304	36b3356906581a9501b10b8f2cb1414e_JaffaCakes118.exe	31
PID 1620 wrote to memory of 2900	1620	install.exe	32
PID 1620 wrote to memory of 2900	1620	install.exe	32
PID 1620 wrote to memory of 2900	1620	install.exe	32
PID 1620 wrote to memory of 2900	1620	install.exe	32
PID 1620 wrote to memory of 2900	1620	install.exe	32
PID 1620 wrote to memory of 2900	1620	install.exe	32
PID 1620 wrote to memory of 2900	1620	install.exe	32
PID 2304 wrote to memory of 3020	2304	36b3356906581a9501b10b8f2cb1414e_JaffaCakes118.exe	33
PID 2304 wrote to memory of 3020	2304	36b3356906581a9501b10b8f2cb1414e_JaffaCakes118.exe	33
PID 2304 wrote to memory of 3020	2304	36b3356906581a9501b10b8f2cb1414e_JaffaCakes118.exe	33
PID 2304 wrote to memory of 3020	2304	36b3356906581a9501b10b8f2cb1414e_JaffaCakes118.exe	33
PID 2304 wrote to memory of 3020	2304	36b3356906581a9501b10b8f2cb1414e_JaffaCakes118.exe	33
PID 2304 wrote to memory of 3020	2304	36b3356906581a9501b10b8f2cb1414e_JaffaCakes118.exe	33
PID 2304 wrote to memory of 3020	2304	36b3356906581a9501b10b8f2cb1414e_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\36b3356906581a9501b10b8f2cb1414e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\36b3356906581a9501b10b8f2cb1414e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Windows\SysWOW64\install.exe
  "C:\Windows\system32\install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1620
- - C:\Windows\SysWOW64\win32spl.exe
    "C:\Windows\SysWOW64\win32spl.exe" [*]install.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:2900
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s C:\Windows\system32\d8h5.dll
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:3020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Browser Extensions

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\d8h5.dll

Filesize
376KB

MD5
aa5037f77c15cdb377413d3699f7319c

SHA1
c63e6acc14c7639dc5c601508714e6fa9f4a170c

SHA256
75a18e892d70a56708a33ad99f2d5202cb90cf49cd09187d348025e2126a5c51

SHA512
83393788de03cf54d76f162311a276fefe1569f87e325a98df6e07529bd2c0369240c87167652b696e8a713883d73e75fb48f6eea7e0e78a25870632bdfbc745

Download Submit
C:\Windows\SysWOW64\install.exe

Filesize
26KB

MD5
6eefd6921f38c9b3144c492a41c1d998

SHA1
d446cfb7c92930928951319525341536373b96e8

SHA256
c0c7a7a40aa6481e2db56781e8d22692c52606bd821582b008749becbed67bf1

SHA512
02c5b26dbd64eae486036eb9763db0d27c1bf53e832b977a275991c1ef02e3d911a061880597535012ef89db6c192919b041c208a23ad3b92de756d5e24f0249

Download Submit
C:\Windows\SysWOW64\win32spl.exe

Filesize
53KB

MD5
d022db65c5402acefe6bcd204765e6e7

SHA1
d43bfcbcce33c2ed8a983f28e8762af9542c94f3

SHA256
46492ae8c75a15f19b72c1826b9cab27a540f85c5ac76cb58aadcd1e641d7028

SHA512
9300a589e939fde66f7f2b9360f5bf1c8e91907945a50b96ae9c4d263dd48751bbdef9af616974354a90c48eabcbb2793365bf589258873d7f26596d1badf181

Download Submit
C:\Windows\q6k.sys

Filesize
956KB

MD5
e453c8e7393e3cfe73d894279c12744c

SHA1
02dfae67898003129f860f91ae3ced920714bde9

SHA256
ad9f07af76d809384f63f8b2d474b628622b66f00e3f4fdb23fdf6864c290079

SHA512
cb27edfee9f45806fb3c0693817ec3918847b6e1a1da4ccdf02b6471c0086d823fd2036b854856897ccb0f15ac067ffaec8d9c83192e7c9430daa13922d2d5ec

Download Submit
memory/1620-11-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1620-17-0x0000000000230000-0x0000000000249000-memory.dmp

Filesize
100KB

Download
memory/1620-16-0x0000000000230000-0x0000000000249000-memory.dmp

Filesize
100KB

Download
memory/1620-24-0x0000000000760000-0x0000000000767000-memory.dmp

Filesize
28KB

Download
memory/1620-39-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2304-8-0x00000000041F0000-0x0000000004209000-memory.dmp

Filesize
100KB

Download
memory/2900-71-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2900-64-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2900-68-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2900-69-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2900-70-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2900-72-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2900-73-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2900-74-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2900-75-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2900-76-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2900-77-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3020-63-0x0000000000750000-0x00000000007BA000-memory.dmp

Filesize
424KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads